In today’s digital landscape, cybersecurity has become increasingly crucial. An accomplished expert in this field, Tony UcedaVelez stands out as a pioneer in a risk-centric approach to cybersecurity. Having challenged the status quo of the defensive strategies, Tony developed an entire methodology to highlight the importance of the offensive “hacker mindset” approach to safeguarding the most valuable asset of modern times – data.
This article will delve into Tony’s background, methodology, and invaluable insights. Tony’s knowledge is indispensable whether you are a business proprietor or an individual seeking to safeguard your information. Discover what makes Tony one of the most highly-regarded cybersecurity professionals in the industry.
Tony UV is an accomplished information security and technology expert with an impressive 23-year track record of hands-on experience. He has worked with global Fortune 500 firms and U.S. federal agencies as a consultant and practitioner, providing strategic and effective security consultation services. He is the founder and CEO of VerSprite, a global cybersecurity consulting firm.
“Before VerSprite, there were many consulting firms that were one-sided, only conveying “risk” from one angle (such as, exploit viewpoint, compliance standpoint, audit controls),” Tony states. “I wanted to encompass a more comprehensive understanding of security risk and reflect that such a risk is made of multiple layers (people – processes – technology) and must be contextualized to be relevant and material.”
VerSprite focuses on developing authentic and tailored solutions for clients with consideration for their risk appetite, threat landscape, technology footprint, and regulatory environment.
Expertise in Security Risk Management, Threat Modeling, and Security Architecture
Tony’s extensive experience spans security risk management, application security, threat modeling, and security architecture. He frequently appears as a speaker at major IT conferences and literally wrote a book on cybersecurity, Process for Attack Simulation and Threat Analysis (PASTA), co-authored with Mike Moreno.
Invented by Tony, PASTA became a leading risk-centric methodology that can be integrated into an application lifecycle or at an organization level. It is widely accepted in the cybersecurity realm as the most effective cybersecurity strategy.
He takes a risk-centric approach to his work, bridging technical security risks with operational and financial risks. This approach helps organizations understand the impact of poor security practices on their business.
With a comprehensive approach to threat modeling, Tony, through his company’s services, offers integrated solutions that draw from various maturity models such as SAMM, BSIMM, and CMMI, as well as risk and control frameworks like OCTAVE, FAIR, NIST 800-53, ISO, and CoBIT.
Renowned Threat Modeling Evangelist
Tony is a leading voice in application security and a renowned threat modeling evangelist. He has shared his insights and expertise in hundreds of talks across four continents. PASTA threat modeling methodology represents his expertise in the field and provides cybersecurity professionals with the most effective framework for evaluating cyber risk.
What is a threat model? Security professionals use threat models to discover flaws in application environments, systematically exploiting applications (mobile, IoT, etc.) for security purposes. Threat modeling allows you to acknowledge security concerns and create appropriate countermeasures before the bad guys exploit them. PASTA is a risk-centric threat modeling methodology that provides a step-by-step process to inject risk analysis and context into an organization’s overall security strategy. It allows for collaboration between developer and business stakeholders to truly understand your application’s inherent risk, its likelihood of an attack, and the business impact if there was a compromise. Other traditional threat modeling frameworks can be hyper-focused on one component, such as coding or the actual attack. For instance, STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service (DoS), and Elevation of Privilege) is a mnemonic used and recommended by many. It is simple to implement because it is a static framework. However, with ever-evolving threat landscapes, it doesn’t make sense to have static threats across several industries. PASTA has many advantages over other traditional threat modeling methods.
Active Role in OWASP and BSides Atlanta
Tony currently leads the OWASP Atlanta Chapter. OWASP works to improve software security through its community-led open-source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences. Tony spearheads monthly workshops and events for Atlanta’s web application security community. He also plays an active role across multiple OWASP projects at a global level, earning recognition as a vocal leader in the global OWASP community. Beyond OWASP, Tony has played a key role in launching BSides Atlanta over the past four years, fostering a grassroots security event aimed at providing a hands-on approach to IT groups in the local area.
Tony UV’s unwavering commitment to developing strategic security solutions that address the multiple facets of enterprise risk has earned him industry-wide recognition. His extensive experience across numerous control frameworks, including ITIL, NIST, ISO, and CoBIT, has been instrumental in maturing security programs built around automated, risk-centric, and process-based controls for clients across the commercial and government sectors.